Geocaching

Browsing Posts tagged files

If you are running a mission critical server, or maintaining a storage server loaded with sensitive data, you probably want to closely monitor file access activities within the server. For example, you want to track any unauthorized change in system configuration files such as /etc/passwd.

To monitor who changed or accessed files or directories on Linux, you can use the Linux Audit System which provides system call auditing and monitoring. In the Linux Audit System, a daemon called auditd is responsible for monitoring individual system calls, and logging them for inspection.

In this tutorial, I will describe how to monitor file access on Linux by using auditd.

To install auditd on Debian, Ubuntu:

$ sudo apt-get install auditd

Once installed by apt-get, auditd will be set to start automatically upon boot.

To install auditd on Fedora, CentOS or RHEL:

$ sudo yum install audit

If you want to start auditd automatically upon boot on Fedora, CentOS or RHEL, you need to run the following.

$ sudo chkconfig auditd on

Once you installed auditd, you can configure it by two methods. One is to use a command-line utility called auditctl. The other method is to edit the audit configuration file located at /etc/audit/audit.rules. In this tutorial, I will use the audit configuration file.

Once auditd starts running, it will start generating an audit daemon log in /var/log/audit/audit.log as auditing is in progress.

A command-line tool called ausearch allows you to query audit daemon logs for specific violations.

To check if a specific file (e.g., /etc/passwd) has been accessed by anyone, run the following. As shown in the above example audit configuration, auditd checks if /etc/passwd is modified or tampered with using chmod.